Configure file policies in Microsoft Defender for Cloud Apps

  • 8 minutes

Policies allow you to define the way you want your users to behave in the cloud. They enable you to detect risky behavior, violations, or suspicious data points and activities in your cloud environment. If necessary, you can integrate remediation workflows to achieve complete risk mitigation. There are multiple types of policies that correlate to the different types of information an organization can gather about its cloud environment. The policies also include the types of remediation actions an organization can take.

For example, let's assume there's a data violation threat that you want to quarantine. The policy type for this scenario is different from the policy type that blocks users from using a risky cloud app.

Microsoft Defender for Cloud Apps can monitor any file type based on more than 20 metadata filters (for example, access level, file type, and so on). The Microsoft Defender for Cloud Apps engine combines the following three aspects under each policy:

  • Content scan based on preset templates or custom expressions.

  • Context filters, including:

    • User roles
    • File metadata
    • Sharing level
    • Organizational group integration
    • Collaboration context
    • Other customizable attributes

  • Automated actions for governance and remediation.

    Note

    The first triggered policy guarantees the only governance action the system applies. For example, if a file policy has already applied a sensitivity label to a file, a second file policy can't apply another sensitivity label to it. For more information, see Control.

Once an organization enables a policy, the policy continuously:

  • Scans the organization's cloud environment.
  • Identifies files that match the content and context filters configured by the organization.
  • Applies the requested automated actions.

File policies detect and remediate any violations for at-rest information or when users create new content. Administrators can monitor policies using real-time alerts or console-generated reports.

Policy types

The Policy page in the Microsoft Defender for Cloud Apps portal displays the various policies and templates. You can distinguish them by type to help readily identify which policies are available. The policies appear together on the All policies tab, or in their respective category tabs. The available policies depend on the data source and what you enabled in Microsoft Defender for Cloud Apps for your organization. For example, if you uploaded Cloud Discovery logs, the system displays the policies related to Cloud Discovery.

The following table describes the types of policies that organizations can create.

Policy type Category Use
Activity policy Threat detection Activity policies allow organizations to enforce a wide range of automated processes using app providers' APIs. These policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of a certain type of activity. Learn more.
Anomaly detection policy Threat detection Anomaly detection policies enable an organization to look for unusual activities on its cloud. Detection is based on the risk factors you set. These risk factors alert you when something happens that's different from the baseline of your organization or from the user's regular activity. Learn more.
OAuth app policy Threat detection OAuth app policies enable an organization to investigate which permissions each OAuth app requested, and then automatically approve or revoke them. These built-in policies come with Defender for Cloud Apps. Learn more.
Malware detection policy Threat detection Malware detection policies enable an organization to identify malicious files in its cloud storage and then automatically approve or revoke it. This built-in policy comes with Defender for Cloud Apps. Learn more.
File policy Information protection File policies enable an organization to scan its cloud apps for:
- specified files or file types, such as shared, and shared with external domains.
- data, such as proprietary information, personal data, credit card information, and other types of data.

File policies can then apply governance actions to the files (governance actions are cloud-app specific). Learn more.
Access policy Conditional access Access policies provide an organization with real-time monitoring and control over user logins to its cloud apps. Learn more.
Session policy Conditional access Session policies provide an organization with real-time monitoring and control over user activity in its cloud apps. Learn more.
App discovery policy Shadow IT App discovery policies enable an organization to set alerts that notify it when Cloud Discovery detects new apps. Learn more.
Cloud Discovery anomaly detection policy Shadow IT Cloud Discovery anomaly detection policies look at the logs an organization uses for discovering cloud apps and search for unusual occurrences. For example, when a user who never used Dropbox before suddenly uploads 600 GB to Dropbox, or when there are a lot more transactions than usual on a particular app. Learn more.

Identifying risk

Defender for Cloud Apps helps organizations mitigate different risks in the cloud. You can configure any policy and alert to be associated with one of the risks in the following table.

Risk What should you consider? Description
Access control Who accesses what from where? Continuously monitor behavior and detect anomalous activities, including high-risk insider and external attacks. You can then apply a policy to alert, block, or require identity verification for any app or specific action within an app. Enables on-premises and mobile access control policies based on user, device, and geography with coarse blocking and granular view, edit, and block. Detect suspicious sign-in events, including multifactor authentication failures, disabled account sign-in failures, and impersonation events.
Compliance Are your compliance requirements breached? Catalog and identify sensitive or regulated data stored in file-sync services, such as sharing permissions for each file. Doing so ensures compliance with regulations such as PCI, SOX, and HIPAA.
Configuration control Are unauthorized changes made to your configuration? Monitor configuration changes including remote configuration manipulation.
Cloud Discovery Are new apps used in your organization? Did users use Shadow IT apps that you don't know about? Rate overall risk for each cloud app based on regulatory and industry certifications and best practices. Enables you to monitor the number of users, activities, traffic volume, and typical usage hours for each cloud application.
DLP Are proprietary files shared publicly? Do you need to quarantine files? On-premises DLP integration provides integration and closed-loop remediation with existing on-premises DLP solutions.
Privileged accounts Do you need to monitor admin accounts? Real-time activity monitoring and reporting of privileged users and admins.
Sharing control How is data shared in your cloud environment? Inspect the content of files and content in the cloud, and enforce internal and external sharing policies. Monitor collaboration and enforce sharing policies, such as blocking users from sharing files outside their organization.
Threat detection Are there suspicious activities threatening your cloud environment? Receive real-time notifications for any policy violation or activity threshold via text message or email. By applying machine learning algorithms, Defender for Cloud Apps enables you to detect behavior that could indicate that a user is misusing data.

Examples of different file policies

The following examples describe various file policies that organizations can create:

  • Publicly shared files. Receive an alert about any publicly shared file in your cloud by selecting all files with a sharing level set to Public.
  • Publicly shared filename contains the organization's name. Receive an alert about any file that contains your organization's name that someone publicly shared.
  • Sharing with external domains. Receive an alert about any file shared with accounts owned by specific external domains. For example, files shared with a competitor's domain. Select the external domain with which you want to limit sharing.
  • Quarantine shared files not modified during the last period. Receive an alert about shared files that no one modified recently, to quarantine them or choose to turn on an automated action. Exclude all the Private files that users didn't modify during a specified date range. On Google Workspace, you can choose to quarantine these files, using the 'quarantine file' checkbox on the policy creation page.
  • Sharing with unauthorized users. Receive an alert about files shared with unauthorized group of users in your organization. Select the users for whom sharing is unauthorized.
  • Sensitive file extension. Receive an alert about exposed files with specific extensions. Select the specific extension (for example, crt for certificates) or filename and exclude those files with private sharing level.

Create a new file policy

Complete the following steps to create a new file policy:

  1. On the Microsoft Defender for Cloud Apps portal, select Control in the navigation pane, and then select Policies.
  2. On the Policies page, the All policies tab is displayed by default. Select the Information protection tab.
  3. In the Information protection tab, select +Create policy on the menu bar. In the drop-down menu that appears, select File policy.
  4. On the Create file policy page, you should configure the following information for the policy:
    • Policy template. Use this field if you want to base your policy on a template. Select this field to display the list of predefined templates, and then select the appropriate template. If you want to create a customized policy, select No template. For more information on policy templates, see Control cloud apps with policies.
    • Policy name. Assign the policy a name.
    • Policy severity. If you set Defender for Cloud Apps to send you notifications on policy matches for a specific policy severity level, this level determines whether the policy's matches trigger a notification.
    • Category. Link the policy to the most appropriate risk type. This field is informative only. The system might preselect the risk according to the category for which you chose to create the policy. By default, the system sets the File policies category to DLP, although you can select a different value if necessary.
    • Description. Enter an optional description of the policy.
    • Files matching all of the following (filters). Create a filter for the files this policy acts on to set which discovered apps trigger this policy. Narrow down the policy filters until you reach an accurate set of files you wish to act upon. Be as restrictive as possible to avoid false positives. For example, if you wish to remove public permissions, remember to add the Public filter. Or, if you wish to remove an external user, use the "External" filter. When you use a policy filter, the Contains clause searches only for full words that you must separate with commas, dots, spaces, or underscores. For example:
      • If you search for the words "malware" or "virus":
        • It finds virus_malware_file.exe.
        • It doesn't find malwarevirusfile.exe.
      • If you search for malware.exe:
        • It finds ALL files with either malware or exe in their filename.
      • If you search for "malware.exe" (with the quotation marks):
        • It only finds files that contain exactly "malware.exe" (including the quotation marks). Equals searches only for the complete string. For example, if you search for malware.exe, it finds malware.exe but not malware.exe.txt.
    • Apply to. For this filter, select either all files, all files excluding selected folders, or selected folders. You can enforce your file policy over all files on the app or on specific folders. The system redirects you to sign in the cloud app, and then add the relevant folders.
    • Select user groups. Select either all file owners, file owners from selected user groups, or all file owners excluding selected groups. Then select the relevant user groups to determine which users and groups to include in the policy.
    • Inspection method. You can select either the Built-in DLP or Data Classification Services method. Data Classification Services is the recommended method. Once you enable content inspection, you can:
      • Choose to use preset expressions or to search for other customized expressions.
      • Specify a regular expression to exclude a file from the results. This option is highly useful if you have an inner classification keyword standard that you want to exclude from the policy.
      • Set the minimum number of content violations that you want to match before the system considers the file a violation. For example, you can choose 10 if you want the system to alert you about files with at least 10 credit card numbers found within its content.
      • Unmask the last four characters of a match. When the system matches content against the selected expression, it replaces the violated text with "X" characters. By default, the system masks violations and shows them in their context. When doing so, it displays 100 characters before and after the violation. It replaces numbers in the context of the expression with "#" characters, and it never stores them within Defender for Cloud Apps. You can select the option to Unmask the last four characters of a violation to unmask the last four characters of the violation itself. It's necessary to set which data types the regular expression searches: content, metadata and/or file name. By default it searches the content and the metadata.
    • Governance actions. Select the action you want Defender for Cloud Apps to take when the system detects a match.
  5. Once you create your policy, you can view it in the File policy tab. You can always edit a policy, calibrate its filters, or change the automated actions.

When you create a new policy, the system automatically enables it. As such, it starts scanning your cloud files immediately. Take extra care when you set governance actions. Improperly set actions can lead to irreversible loss of access permissions to your files.

Microsoft recommends that you use multiple search fields to narrow down the filters. Doing so narrows down the list of files to the exact ones that you wish to act upon. The narrower the filters, the better. For guidance, you can use the Edit and preview results button in the Filters section.

File policy matches are files the system suspects might violate the policy. To view these files:

  1. In the Microsoft Defender for Cloud Apps navigation pane, select Control and then select Policies.
  2. On the Policies page, in the Filters section at the top of the page, select the Type filter to display the list of policy types. Select the appropriate type.
  3. For more information about the matches for a specific policy, select the policy.
  4. The system displays the "Matching now" files for the policy. Select the History tab to view the last six months of files that matched the policy.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

Which of the following policies looks at the logs you use for discovering cloud apps and searches for unusual occurrences, such as when the number of transactions on a particular app are higher than usual?